CVE-2018-1227: Concourse-dot-ci Domain Issue

Severity

High/Advisory

Vendor

Concourse CI

Description

The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org.

At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receiving reports that the Concourse domain was not responding. The Concourse OSS team discovered, upon investigation with both the original and the new domain registrars, that the originating domain registrar had made the domain available for purchase. This was done despite the domain being renewed by the Concourse OSS team through August 2018.

Affected Pivotal Products and Versions

Severity is
high/advisory
unless otherwise noted.

At this time, Pivotal does not believe that any resources or builds of Concourse have been compromised.

Binaries for Concourse for PCF available on Pivotal Network are not affected by this issue.

Downloads from the Concourse OSS team available on Github are not affected by this issue.

Downloads from concourse-dot-ci before March 6, 2018 18:00:00 EST are not affected by this issue.

However, as long as the old domain is not under the control of the Concourse OSS team, it is possible that it could be used for malicious purposes.

Pivotal is helping to investigate this issue and is working with the Concourse OSS team to mitigate the effect of this change on the Concourse community.

Mitigation

The Concourse CI project recommends the following mitigation steps:

Pivotal customers should continue to use Pivotal Network to download new builds of Concourse.

Notify all Concourse users within your organization that the new official domain for Concourse is concourse-ci.org.

Update any Concourse-related tooling to point to concourse-ci.org (e.g. Slackbots that watch for release notes, new versions of Concourse).

Review Concourse resource dependencies in your CI pipelines for references or dependencies to the old website (e.g. pipeline resources that point to the Concourse site to perform self-updates).

Consider blocking requests to concourse-dot-ci through your domain name servers.

History

2018-03-09: Initial vulnerability report published

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. PIVOTAL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. PIVOTAL EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.